Legal

Privacy policy.

Last updated: May 3, 2026

This Privacy Policy describes how Holiander, Inc. ("Holiander," "we," "us"), a California S corporation, collects, uses, shares, and protects information in connection with Thorgate, our vendor privacy monitoring service (the "Service") offered at thorgate.com. Thorgate is one of Holiander's products.

The Security page describes our infrastructure, subprocessors, and operational practices in factual terms — treat that as the canonical reference for "what actually happens to my data." This page describes the legal framework around it.

1. Who we are

Holiander operates the Service. We are the data controller for personal data processed about our customers and account users. For data customers submit about third parties (e.g., URLs of public vendor documents), we are a processor; the customer is the controller.

For privacy questions or requests: support@thorgate.com.

2. What we collect

Account data. When you create an account, we collect your name, email address, and a hashed password. If you invite team members, we collect the same for them.

Workspace data. The vendors you choose to track and the URLs of their public documents. The internal notes you add to vendors. Your digest delivery preferences. Your tier selections, severity thresholds, and review actions.

Billing data. A Stripe customer identifier and subscription status. We do not collect or store credit card numbers — Stripe holds those, and our service only sees the identifier and the subscription state.

Operational logs. Server access and error logs, including IP addresses, user agents, request paths, and response codes. Used for security, abuse prevention, and debugging.

Communications. Records of emails we send you (digests, account notices, support replies) and email contents you send us.

What we don't collect. We do not run third-party analytics, advertising trackers, marketing pixels, or session-replay tools. We do not buy data about you from third parties.

3. How we use it

We use the data we collect to:

  • Provide, operate, and improve the Service.
  • Send transactional email — account verification, password resets, digest emails, billing notices.
  • Process subscription billing through Stripe.
  • Detect and prevent abuse, fraud, and security incidents.
  • Respond to support requests.
  • Comply with legal obligations (tax, accounting, lawful requests from authorities).
  • Send service announcements (rarely; substantive product changes only).

We do not sell personal data. We do not share it with advertisers. We do not use customer data to train AI models.

4. Legal bases (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, the legal bases on which we process personal data are:

  • Contractual necessity — to provide the Service you've agreed to.
  • Legitimate interests — for security, abuse prevention, internal analytics, and product improvement, balanced against your privacy interests.
  • Legal obligations — for tax, accounting, and lawful requests from authorities.
  • Consent — for any optional marketing communications you opt into. You can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

5. Subprocessors and data sharing

We use a small set of subprocessors to deliver the Service. The current list is published publicly on our Security page. At a high level, we share data with:

  • Our infrastructure provider (hosting, database, queue).
  • Mailjet (email delivery).
  • Jina (fetching public web pages our direct crawler can't reach — only public URLs are sent; no customer-account data).
  • Anthropic (AI summarization and classification — only public document content is sent; no customer-account data).
  • Stripe (subscription billing).

We notify customers by email before adding new subprocessors. If you object, you can terminate your subscription before the change takes effect.

We disclose personal data to government authorities only when legally required (subpoena, court order, valid legal process). We will notify you before complying when permitted by law.

6. International transfers

Holiander operates infrastructure in the United States. If you are in the EEA, UK, or Switzerland and your personal data is transferred to the US, the transfer is covered by the European Commission's Standard Contractual Clauses (SCCs) and supplementary measures.

EU/UK customers can request our Data Processing Agreement (which incorporates the SCCs as Module Two and Module Three) by emailing support@thorgate.com.

7. Data retention

Account data is retained for the life of your subscription. After cancellation, it is retained for an additional 60 days (during which you can recover the account by re-subscribing), then permanently deleted, except where retention is required for legal, tax, or accounting reasons.

Document version history. On the Starter plan, we retain version history for 12 months. On Pro and Scale, we retain it indefinitely while your subscription is active. You can request earlier deletion at any time.

Operational logs are retained for 90 days, then deleted.

Communications. Support email threads and digest send logs are retained for 12 months for support and dispute resolution.

You can request export or earlier deletion at any time via support@thorgate.com.

8. Your rights

Depending on your jurisdiction (GDPR, UK GDPR, CCPA, CPRA, and similar laws), you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your data ("right to be forgotten").
  • Restrict or object to processing.
  • Receive your data in a portable format.
  • Withdraw consent for any processing based on consent.
  • Lodge a complaint with a supervisory authority (in the EEA: your local Data Protection Authority).

Submit any request to support@thorgate.com. We will respond within 30 days. We will not discriminate against you for exercising your rights.

9. California residents (CCPA / CPRA)

Holiander is registered in California and the Service is subject to the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

The categories of personal information we process are described in section 2 above. The purposes of processing are described in section 3. Retention periods are described in section 7. The categories of third parties with whom we share information are described in section 5.

We do not "sell" personal information and we do not "share" it for cross-context behavioral advertising as those terms are defined under the CCPA / CPRA. We do not process sensitive personal information for purposes that would require an opt-out right under CPRA.

California residents may exercise their rights under the CCPA / CPRA — to know, delete, correct, port, limit use of sensitive PI, and not be discriminated against — by emailing support@thorgate.com.

10. Cookies and tracking

We use a single first-party session cookie for authentication. It is HttpOnly, Secure, and SameSite=Lax. Without it, you can't stay logged in.

We do not use cookies for advertising, retargeting, or third-party analytics. We do not run cross-site trackers or fingerprinting tools.

11. AI processing

Thorgate uses Anthropic's Claude API to generate change summaries, severity classifications, and structured fact extractions. The data sent to Anthropic is limited to the public document content you've chosen to track (e.g., a vendor's privacy policy text). We do not send customer-account data, settings, usage patterns, or notes to Anthropic.

Anthropic's API terms prohibit use of API content for model training. Holiander does not use AI-generated outputs about you or your data for any purpose other than serving them to you in the Service.

12. Security

We implement industry-standard administrative, technical, and physical safeguards to protect data: TLS 1.3 for all transport, hashed passwords (bcrypt), isolated databases with distinct credentials, access logging, principle of least privilege for staff. The Security page details current practices.

No method of internet transmission or storage is 100% secure. While we follow current best practices, we cannot guarantee absolute security. Notify us at support@thorgate.com if you believe there's been a security incident affecting your account.

13. Children's privacy

Thorgate is a B2B compliance product not directed to anyone under 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected such data, we will delete it.

14. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated at least 30 days in advance via email and reflected in the "Last updated" date at the top of this page.

15. Contact

Questions about this Privacy Policy or to exercise any of your rights: support@thorgate.com.

Holiander, Inc.
California, United States